In recent years, Brazil’s transformation into a global financial superpower has taken the world by surprise. Just two decades ago, competition between the handful of the banks that dominated the market was scant, pricing was high for consumers, and innovation was rare. In short, it wasn’t exactly the best place to start a FinTech. That all changed, however, when policymakers made a few very smart decisions that jumpstarted an unprecedented financial revolution. Brazil’s newfound financial success, however, has resulted in new fraud (including SIM swap fraud) and a surge in kidnappings. Fortunately, new technologies have the potential to help Brazilian companies stop fraudsters without compromising user experience.
There are a handful of policy decisions that have led to Brazil’s financial success. Brazilian lawmakers enacted reforms to make it easier for fintech companies to secure licenses and, perhaps even more critically, embrace an instant payments system called PIX. With PIX, Brazilians can transfer funds for free on their phones. Thanks to these advancements, Brazil became one of the most tech-friendly and innovative places in the world and, more importantly, Brazilians benefited greatly. Brazilians’ access to financial services increased from 57% to 86% between 2009 and 2022 and a new generation of Brazilian entrepreneurs has started successful and globally recognized FinTechs, creating many high-paying jobs in the process.
Unfortunately, growth and pain are inextricably linked. As money moves around Brazil faster than ever before and FinTechs flourish, fraud continues to skyrocket nationally. In Brazil, elaborate scams conducted by organized criminal syndicates threaten to slow down Brazil’s burgeoning tech sector, eroding consumer trust and harming the overall economy in the process. At the root of most of the fraud is the SIM swap (aka SIM jacking).
How does SIM swap fraud work in Brazil?
It all starts with producing what fraud experts call a “synthetic ID.” This is an identification that has a mixture of stolen and legitimate information associated with it. To create the synthetic identity, the fraudster must first obtain the original template of the Brazilian National ID (“Cedula de Identidade”), which is the primary document used for authentication processes via document scans. In many ways, it’s similar to a driver’s license in the United States as it varies from state to state. To obtain the original template, fraudsters, many of whom are associated with organized gangs, will either steal them from an individual or even go as far as infiltrating the government agencies responsible for issuing these IDs.
Once in possession of the templates, the fraudster needs legitimate information to add to the ID cards. Of course, they can’t use their own information so they must build out a list of targets and gather the victims’ information both on social media and on the dark web. Contact information, including the victim’s name, date of birth, and mobile operator, can be purchased on the dark web for as little as R$100 or US$20. After filling out the stolen template with the victim’s real information, the fraudster will then add a photograph of themselves to the document. And just like that, the fraudster has a Synthetic National ID. This allows fraudsters to bypass the Document scanning KYC checks.
With their new synthetic National ID in hand, the fraudster travels to one of the mobile operator’s stores where the victim has their cell phone account. At the store, they show their ID to the Operator Consultant, who verifies that the picture matches the person, and then requests a new SIM card. As soon as the fraudster owns the SIM card, they have a small window of time to act before the victim realizes that their mobile phone no longer has service and files a report to the mobile operator.
During this critical window, the fraudster commits SIM swap fraud by opening a digital bank account (known as “Contas Laranjas” or orange accounts) using phony credentials. With the newly created orange account in hand, the fraudster will commit a series of crimes, including applying for a loan from one of the Brazilian lending FinTechs with no intention of paying the money back. After fraudulently applying for the loan, the criminal syndicates will leverage the orange account to commit “pix fraud.”
What is PIX Fraud?
PIX is the Brazilian Central bank-sponsored P2P money transfer (similar to FEDNOW which will be launched in the next few years in the United States). Pix fraud is generally committed by members of a gang who will force victims (often at gunpoint) to transfer funds to the orange account. In 2020, after PIX was established, there was a 40% increase in these “lightning kidnappings” in San Paulo.“These lightning kidnappings were kind of dormant. But since PIX entered the market in November last year, we have noticed a significant increase in cases,” said Tarsio Severo, a member of the Special Police Operations in São Paulo. After robbing a handful of victims, the criminal organization pulls out the money from the orange account and leaves without a trace. This cycle is repeated again and again, driving crime and putting the safety of the general public at extreme risk. In an attempt to deter criminals from misusing Instant Payments, the central bank in Brazil has placed a $200 transfer limit on P2P payments between 8 pm and 6 am, when most attacks occur. Although this limitation might be necessary for now, it places an unfair burden on the legitimate customer and does not address the root of the problem: poor identity proofing.
How can companies stop SIM swap fraud in Brazil?
Trust Score™ is a dynamic measurement of a phone number's reputation that can be utilized for the purpose of identity verification and authentication. It employs an analysis of behavioral patterns and Phone-Centric Identity™ signals from reliable sources during a potential transaction to prevent fraud, such as SIM swap fraud and other account takeover schemes. Trust Score is a versatile tool that can help secure the customer experience across various scenarios, including digital onboarding, digital servicing, and existing customer authentication.
One of the most common applications of Trust Score is to serve as a trust indicator before sending a one-time passcode to identify potential risks such as an insecure VOIP line, SIM swap, and low SIM tenure. By checking Trust Score before sending SMS OTPs, companies can make an informed decision on whether to send an OTP or not. For instance, if Trust Score reveals that the line-type is VOIP or that a SIM swap has occurred recently, the company can opt to verify the consumer using a different method instead of sending an OTP.
Final Words
By embracing FinTech and adopting Instant Payments, the Brazilian government has greatly increased financial inclusion. Unfortunately, however, Brazil, like many other countries, has fallen victim to a surge in fraud as a result of digital banking. To build on its progress while reducing fraud, Brazilian banks and companies can embrace the latest in digital identity technology and prevent SIM swaps from derailing their progress.
Want to stop SIM swap Fraud in Brazil? Speak with a Digital Identity Expert Today.
Keep reading
The stakes for businesses in ensuring trust and security in digital interactions are higher than ever.
This blog post outlines best practices for integrating identity verification APIs to enhance security, compliance, and user experience in digital interactions.
Identity verification is crucial for developers to prioritize in their applications to ensure a secure and trustworthy online environment for all parties involved.